Outline Exploiting other vulnerabilities Return address protections CSci 5271 Introduction to Computer Security Announcements intermission Day 5: Low-level defenses and BCECHO demo counterattacks ASLR and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering W ✟ X (DEP) Epilogue: BCVI Makefile Null pointer dereference Format string attack Add offset to make a predictable Attacker-controlled format: little pointer interpreter On Windows, interesting address start low Step one: add extra integer specifiers, Allocate data on the zero page dump stack Most common in user-space to kernel attacks Already useful for information disclosure Read more dangerous than a write Format string attack layout Format string attack layout
Format string attack: overwrite Outline Exploiting other vulnerabilities ✪♥ specifier: store number of chars Return address protections written so far to pointer arg Announcements intermission Advance format arg pointer to other attacker-controlled data BCECHO demo Control number of chars written with ASLR and counterattacks padding W ✟ X (DEP) On x86, use unaligned stores to create Epilogue: BCVI Makefile pointer Canary in the coal mine Adjacent canary idea Photo credit: Fir0002 CC-BY-SA Terminator canary Random canary Value hard to reproduce because it would tell the copy to stop Can’t reproduce because attacker can’t StackGuard: 0x00 0D 0A FF guess 0: String functions For efficiency, usually one per execution newline: ❢❣❡ts (), etc. -1: ❣❡t❝ () Ineffective if disclosed carriage return: similar to newline? Doesn’t stop: ♠❡♠❝♣② , custom loops
XOR canary Further refinements Want to protect against non-sequential More flexible to do earlier in compiler overwrites Rearrange buffers after other variables XOR return address with value ❝ at Reduce chance of non-control overwrite entry Skip canaries for functions with only XOR again with ❝ before return small variables Who has an overflow bug in an 8-byte Standard choice for ❝ : see random array? canary What’s usually not protected? Where to keep canary value Backwards overflows Fast to access Function pointers Buggy code/attacker can’t read or write Adjacent structure fields Linux/x86: ✪❣s✿✵①✶✹ Adjacent static data objects Complex anti-canary attack Complex anti-canary attack Canary not updated on ❢♦r❦ in server Canary not updated on ❢♦r❦ in server Attacker controls number of bytes Attacker controls number of bytes overwritten overwritten ANRY BNRY CNRY DNRY ENRY FNRY search ✷ ✸✷ ✦ search ✹ ✁ ✷ ✽
Shadow return stack Outline Exploiting other vulnerabilities Suppose you have a safe place to store Return address protections the canary Announcements intermission Why not just store the return address BCECHO demo there? ASLR and counterattacks Needs to be a separate stack W ✟ X (DEP) Ultimate return address protection Epilogue: BCVI Makefile You may notice Pre-proposals due tonight Most groups formed? We’re catching up with the readings One PDF per group, include schedule Today: StackGuard, ASLR attacks choices Next time: CFI, Shacham ROP Submit via Moodle by 11:55pm Supplemental office hours tomorrow HA1 reminders Attack 2 due Friday, harder than Tomorrow (Thursday), 11am-noon in attack 1 4-225E Keep backups if you need to reset VM Are my regular office hours at bad Consider Moodle or email to both staff times? with questions
BCECHO Outline Exploiting other vulnerabilities Return address protections An even simpler buffer overflow Announcements intermission example BCECHO demo Can compile like BCVI, install setuid root ASLR and counterattacks Will use for attack demo purposes W ✟ X (DEP) Epilogue: BCVI Makefile Outline Basic idea Exploiting other vulnerabilities Return address protections “Address Space Layout Randomization” Announcements intermission Move memory areas around randomly so attackers can’t predict addresses BCECHO demo Keep internal structure unchanged ASLR and counterattacks E.g., whole stack moves together W ✟ X (DEP) Epilogue: BCVI Makefile Code and data locations Relocation (Windows) Extension of technique already used in Execution of code depends on memory compilation location E.g., on 32-bit x86: Keep table of absolute addresses, instructions on how to update Direct jumps are relative Function pointers are absolute Disadvantage: code modifications take Data must be absolute time on load, prevent sharing
PIC/PIE (GNU/Linux) What’s not covered “Position-Independent Code / Executable” Main executable (Linux 32-bit PIC) Keep code unchanged, use register to Incompatible DLLs (Windows) point to data area Relative locations within a module/area Disadvantage: code complexity, register pressure hurt performance Entropy limitations Leakage limitations Intuitively, entropy measures amount of If an attacker learns the randomized randomness, in bits base address, can reconstruct other Random 32-bit int: 32 bits of entropy locations ASLR page aligned, so at most Any stack address ✦ stack ✸✷ ✲ ✶✷ ❂ ✷✵ bits of entropy unprotected, etc. Other constraints further reduce possibilities GOT hijack (M¨ uller) GOT hijack (M¨ uller) Main program fixed, libc randomized ♣r✐♥t❢❅♣❧t✿ ❥♠♣ ✯✵①✽✵✹✾✻✼✽ ✳✳✳ PLT in main program used to call libc s②st❡♠❅♣❧t✿ ❥♠♣ ✯✵①✽✵✹✾✻✼❝ Rewire PLT to call attacker’s favorite ✳✳✳ libc functions ✵①✽✵✹✾✻✼✽✿ ❁❛❞❞r ♦❢ ♣r✐♥t❢ ✐♥ ❧✐❜❝❃ E.g., turn ♣r✐♥t❢ into s②st❡♠ ✵①✽✵✹✾✻✼❝✿ ❁❛❞❞r ♦❢ s②st❡♠ ✐♥ ❧✐❜❝❃
ret2pop (M¨ uller) ret2pop (M¨ uller) Take advantage of shellcode pointer already present on stack Rewrite intervening stack to treat the shellcode pointer like a return address A long sequence of chained returns, one pop Outline Basic idea Exploiting other vulnerabilities Traditional shellcode must go in a Return address protections memory area that is writable, so the shellcode can be inserted Announcements intermission executable, so the shellcode can be BCECHO demo executed But benign code usually does not need ASLR and counterattacks this combination W ✟ X (DEP) W xor X, really ✿ ✭ ❲ ❫ ❳ ✮ Epilogue: BCVI Makefile Non-writable code, ❳ ✦ ✿ ❲ Non-executable data, ❲ ✦ ✿ ❳ Prohibit execution of static data, stack, E.g., read-only .text section heap Has been standard for a while, Not a problem for most programs especially on Unix Incompatible with some GCC features no Lets OS efficiently share code with one uses Non-executable stack opt-in on Linux, but multiple program instances now near-universal
Implementing ❲ ✟ ❳ One important exception Page protection implemented by CPU Remaining important use of Some architectures (e.g. SPARC) long self-modifying code: just-in-time (JIT) compilers supported ❲ ✟ ❳ x86 historically did not E.g., all modern JavaScript engines One bit controls both read and execute Allow code to re-enable execution Partial stop-gap “code segment limit” per-block Eventual obvious solution: add new bit ♠♣r♦t❡❝t , ❱✐rt✉❛❧Pr♦t❡❝t Now a favorite target of attackers NX (AMD), XD (Intel), XN (ARM) Counterattack: code reuse Classic return-to-libc (1997) Overwrite stack with copies of: Attacker can’t execute new code Pointer to libc’s s②st❡♠ function So, take advantage of instructions Pointer to ✧✴❜✐♥✴s❤✧ string (also in libc) already in binary The s②st❡♠ function is especially There are usually a lot of them convenient And no need to obey original structure Distinctive feature: return to entry point Chained return-to-libc Beyond return-to-libc Shellcode often wants a sequence of actions, e.g. Can we do more? Oh, yes. Restore privileges Classic academic approach: what’s the Allow execution of memory area most we could ask for? Overwrite system file, etc. Can put multiple fake frames on the Here: “Turing completeness” stack How to do it: reading for Thursday Basic idea present in 1997, further refinements
Outline BCVI Makefile Exploiting other vulnerabilities Return address protections Announcements intermission ❈❋▲❆●❙ ✿❂ ✲❣ ✲❲❛❧❧ ✲♠✸✷ ❭ ✲❢♥♦✲st❛❝❦✲♣r♦t❡❝t♦r ❭ BCECHO demo ✲③ ❡①❡❝st❛❝❦ ✲③ ♥♦r❡❧r♦ ASLR and counterattacks W ✟ X (DEP) Epilogue: BCVI Makefile BCVI Makefile BCVI Makefile ❈❋▲❆●❙ ✿❂ ✲❣ ✲❲❛❧❧ ✲♠✸✷ ❭ ❈❋▲❆●❙ ✿❂ ✲❣ ✲❲❛❧❧ ✲♠✸✷ ❭ ✲❢♥♦✲st❛❝❦✲♣r♦t❡❝t♦r ❭ ✲❢♥♦✲st❛❝❦✲♣r♦t❡❝t♦r ❭ ✲③ ❡①❡❝st❛❝❦ ✲③ ♥♦r❡❧r♦ ✲③ ❡①❡❝st❛❝❦ ✲③ ♥♦r❡❧r♦ Standard non-security options Turn off canaries BCVI Makefile BCVI Makefile ❈❋▲❆●❙ ✿❂ ✲❣ ✲❲❛❧❧ ✲♠✸✷ ❭ ❈❋▲❆●❙ ✿❂ ✲❣ ✲❲❛❧❧ ✲♠✸✷ ❭ ✲❢♥♦✲st❛❝❦✲♣r♦t❡❝t♦r ❭ ✲❢♥♦✲st❛❝❦✲♣r♦t❡❝t♦r ❭ ✲③ ❡①❡❝st❛❝❦ ✲③ ♥♦r❡❧r♦ ✲③ ❡①❡❝st❛❝❦ ✲③ ♥♦r❡❧r♦ Allow execution on stack Leave GOT writable
Recommend
More recommend